Certified Information Systems Auditor (CISA) — Question 606

Which of the following conditions would be of MOST concern to an IS auditor assessing the risk of a successful brute force attack against encrypted data at rest?

Answer options

• A. Short key length
• B. Use of asymmetric encryption
• C. Use of symmetric encryption
• D. Random key generation

Correct answer: A

Explanation

A short key length is a significant concern because it can make brute force attacks feasible, allowing attackers to try all possible keys in a reasonable time. Asymmetric encryption typically involves longer keys, which are more secure against such attacks, while symmetric encryption is also secure if key length is adequate. Random key generation enhances security by preventing predictability, thus reducing the risk of successful brute force attacks.